Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 25/26 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 21st September 2017, 01:58 AM
dswaner Offline
Registered User
 
Join Date: Nov 2008
Posts: 308
linuxfedorafirefox
unknown tmp file appears and disappears

In my ramdisk directory, I noticed a tmp file - I don't know where it came from. I did an "ls -l" - got the full mtime - the size was 4 bytes. Wondering where it came from, I did a bash "history" (which I have time-stamped), in the 3 open terminal tabs - nothing matched the mtime. I looked in the journal - no messages around that time. I went back to list the access time on the tmp file, and it was gone - I did nothing to remove it.

I guess what is going here is some system process is a little sloppy in where it is putting tmp files.

Anyone know what happened here?
Reply With Quote
  #2  
Old 21st September 2017, 12:09 PM
srakitnican Offline
Registered User
 
Join Date: Oct 2011
Posts: 1,581
linuxchrome
Re: unknown tmp file appears and disappears

Next time it happens try to use `lsof` to see what process is using it.
Reply With Quote
  #3  
Old 21st September 2017, 05:11 PM
dswaner Offline
Registered User
 
Join Date: Nov 2008
Posts: 308
linuxfedorafirefox
Re: unknown tmp file appears and disappears

Thanks - "lsof" is what I should have done, and will do if it happens again.
Reply With Quote
  #4  
Old 21st September 2017, 05:33 PM
dswaner Offline
Registered User
 
Join Date: Nov 2008
Posts: 308
linuxfedorafirefox
Re: unknown tmp file appears and disappears

I tried to stick an audit on my ramfs, with no luck. Then I changed the ramfs to a tmpfs, and still no luck.
By no luck, I mean when I touch a file in that directory and then do an ausearch on my key, I don't get any results.

Anyone know the trick I'm missing to audit a ramfs / tmpfs?

However, when the audit is on the ramfs or tmpfs, I get lots of audit messages in the journal, which contain "SECCOMP" and firefox. By "lots" I mean thousands pile up in a couple of minutes. Firefox has no business looking at that directory as far as I know.
Reply With Quote
  #5  
Old 21st September 2017, 09:38 PM
dswaner Offline
Registered User
 
Join Date: Nov 2008
Posts: 308
linuxfedorafirefox
Re: unknown tmp file appears and disappears

My bad. The reason the tmp file "mysteriously" disappeared, is because I exited from a cli process in another terminal tab, which deleted the file when it exited. The reason the timestamps didn't match up was because the process overwrote that file many times - so the mtime changed many times.

Marking this thread SOLVED, even though that still leaves the questions about ramfs and tmpfs and audit, and why setting that audit causes the firefox messages in the journal - perhaps fodder for one or two bug reports.
Reply With Quote
  #6  
Old 22nd September 2017, 05:00 PM
dswaner Offline
Registered User
 
Join Date: Nov 2008
Posts: 308
linuxfedorafirefox
Re: unknown tmp file appears and disappears

Re the problems with tmpfs audits and firefox:
My bad again: in my audit rules I used "path=" instead of "dir=". When that correction is made, auditing tmpfs works fine, and there are no strange firefox audit messages.

Why specifying "path=" in an audit rule on a tmpfs should cause a flood of audit messages re firefox, I leave to the specialists to ponder, if they are so inclined.
Reply With Quote
  #7  
Old 25th September 2017, 11:33 AM
HaydnH's Avatar
HaydnH Offline
Registered User
 
Join Date: Feb 2005
Location: London, UK
Posts: 509
windows_7chrome
Re: unknown tmp file appears and disappears

Quote:
Originally Posted by dswaner View Post
The reason the timestamps didn't match up was because the process overwrote that file many times - so the mtime changed many times.
For future reference, assuming the inode info isn't changing then ctime (rather than mtime) might show you the creation date. You might be able to see the files real "birth time" using stat depending on your configuration as well.
Reply With Quote
  #8  
Old 25th September 2017, 02:39 PM
dswaner Offline
Registered User
 
Join Date: Nov 2008
Posts: 308
linuxfedorafirefox
Re: unknown tmp file appears and disappears

Yes, ctime would be the most useful in this situation. For my setup, stat doesn't work. What does work is:
Code:
sudo debugfs -R "stat ...file..." /dev/...
though it's a little inconvenient. (Ref. https://forums.fedoraforum.org/archi.../t-303162.html)

CORRECTION:
I should have said "crtime" (create time, aka birth time) not "ctime" (change attribute time) above. Even though ctime may be the same as the birth time, with the debugfs trick, I can find the real crtime.

Last edited by dswaner; 25th September 2017 at 06:11 PM. Reason: Correction
Reply With Quote
Reply

Tags
appears , disappears , file , tmp , unknown

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
unknown file signature billcu EOL (End Of Life) Versions 0 27th September 2014 02:51 AM
PROBLEM: all bytes of extracted payload from a dump file appears to be zero ahm_irf Programming & Packaging 1 7th November 2007 05:30 PM
FC5 Nautilus file permissions unknown grimsbyguy Using Fedora 0 24th March 2006 03:51 PM
HOWTO Unknown file type ducl Using Fedora 6 14th September 2004 05:37 AM


Current GMT-time: 02:40 (Sunday, 22-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat